Greece Enters Officially the GDPR Era by Implementing Law 4624/2019

Greek Parliament finally adopted the long-awaited New Data Protection Law 4624/2019 “on the Greek Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (Government Gazette A/137/29.08.2019). The territorial scope of the new Law extends to Greek Public authorities, as well as private entities, which either: i. have an establishment in Greece or ii. process personal data within the territory of Greece or iii. process personal data of Greek citizens. Such new Law, structured mainly on the German Data Protection Law (DSAnpUG-EU) aims to adapt Greece's current data protection law to the General Data Protection Regulation (GDPR) by making use of opening clauses in order to complement the GDPR, to transpose the Law Enforcement Directive into Greek law and to regulate the establishment and functioning of the competent supervisory authority.

A Misguided Call to Put Serbian Data Protection Law on Hold

In the past two days, the recently appointed head of Serbian data protection supervisory authority announced one radical move and sharply criticised some provisions in Serbia’s new data protection law. The commitment and audacity of Milan Marinovic should be encouraging to those who feared that the new data protection tsar would be the exact opposite of his very vocal predecessor, Rodoljub Sabic. However, when examined on the merits, Marinovic’s statements give a reason for concern. The main point Marinovic made in his appearance on the state-run television and in a statement to a news portal is that, in his opinion, implementation of the Data Protection Act 2018 should be postponed. The law, adopted in November last year, provided for a nine-month grace period. Therefore, the implementation of the law should commence on 21 August 2019. Marinovic is now calling for an additional one-year deferral. To strengthen his case, Marinovic made a few policy and legal arguments which are of dubious validity.

First GDPR Fines in Romania

NNDKP's head of the Data Protection practice, Roxana Ionescu, published two articles in relation to the first two fines notified by the Romanian Data Protection Authority (DPA). In applying its first fine, the Romanian DPA has reinforced its past practice on minimising the processing of personal numeric codes (equivalent to social security numbers) while making use of new concepts under the General Data Protection Regulation, like the accountability principle and data protection by design and by default. The second fine was imposed due to a data breach.

CNIL’s Primer on Video Surveillance at Work: Uniontrad Company Decision

On 18 June 2019, the French data protection supervisory authority (“CNIL”) issued a decision on video surveillance at work. The Uniontrad Company case demonstrates that a law specifically regulating the processing of images is not an indispensable prerequisite for reaching a decision. Instead, CNIL relied on the general GDPR rules on proportionality, fair notices, and security of processing. That does not mean that every detail of the video surveillance legal regime obviously flows from the general data protection rules. For example, data protection authorities may differ as regards the format of a data processing notice. But the fundamental rules governing video surveillance at work are clear, even in the absence of a specific regulation.

One Year of GDPR in the EU Countries of SEE Legal

Marking the first anniversary of the introduction of General Data Protection Regulation 2016/679 (the “GDPR”) in the EU, SEE Legal EU members provide a short overview on the current standing of the GDPR application in their respective jurisdictions – Bulgaria, Croatia, Greece, Romania and Slovenia.

BDK Advokati at Tarabica IT conference

Partner Bogdan Ivanisevic and senior associate Milica Basta represented BDK Advokati at this year’s edition of Tarabica IT conference, held on 25 May in Belgrade. The event is traditionally dedicated to topics relevant to the IT industry and as such, it mainly gathers IT professionals from major Serbian companies and institutions.

Amendment to the Bulgarian Personal Data Protection Act

Today, the long-awaited amendment to the Personal Data Protection Act was promulgated in the Bulgarian State Gazette. Most notably, the law designates the Commission on Personal Data Protection as the Bulgarian supervisory authority under the GDPR and officially repeals the registration regime for personal data controllers which was inapplicable in practice since 25 May 2018. Following the entry into effect of the amendment, the Commission is to adopt additional ordinances and amendments to its internal rules. Furthermore, the law implements the rules of Directive (EU) 2016/680 related to the…

Bulgarian List of Processing Operations Requiring Data Protection Impact Assessment

The Bulgarian Commission on Personal Data Protection adopted a list of processing operations for which it would be mandatory for controllers to conduct data protection impact assessments. The controllers whose main or only place of establishment is on the territory of the Republic of Bulgaria will be required to conduct a data protection impact assessment in all cases when a specific processing is likely to result in a high risk to the rights and freedoms of the individuals.

BDK Advokati's Seminar on GDPR Attracts 70 Participants From Montenegro

On 18 December 2018, BDK Advokati in cooperation with AmCham Montenegro held a seminar on the General Data Protection Regulation (GDPR) in Podgorica, for 70 participants from Montenegrin companies and law firms. Bogdan Ivanisevic, head of BDK Advokati team specialized in data protection & privacy, summarized the key characteristics of GDPR and explained how the Regulation extends to companies outside the EU, including those from Montenegro. He pointed to the presence of vague standards in GDPR which in the years to come will require further elucidation by data protection authorities and…

BDK Advokati about Tension between AI and Data Protection

Marko Popovic, associate at BDK Advokati, spoke at the Winter Vivaldi CFO & Legal Forum, organised by Mokra Gora School of Management at Mecavnik, western Serbia, on 30 November 2018. The forum attracted more than 60 participants, mostly CEOs and CFOs of a host of Serbian companies and start-ups alongside software developers, lawyers, accountants, and other professionals. The main topic of the forum was Conducting Business without People – Financial and Legal Consequences. Together with four other lawyers coming from Serbia’s leading law firms, Marko participated at the panel on the EU…

When does GDPR Apply to a Non-EU Entity? EDPB Provides Guidance

Zorana Brujic of BDK Advokati discusses the guidance provided by EDPB on GDPR’s application on non-EU entity. European Data Protection Board (“EDPB”) published on 16 November 2018 the long-awaited Guidelines 3/2018 on the territorial scope of the General Data Protection Regulation (“GDPR”). As those with even a cursory interest in the matter knew, a company not established in the EU can still be within the reach of GDPR’s strict rules. But exactly when that is the case was not entirely clear from GDPR’s provisions and recitals. With these guidelines EDPB aims to clarify the criteria…

John Kyriakides Speaks at Cyber Security and Data Protection Conference

Kyriakides Georgopoulos Law Firm’s Litigation Partner, John Kyriakides, spoke on "Cybercrime and Personal Data. The GDPR Perspective from a Legal Standpoint" at the Cyber Security and Data Protection: Risks and Challenges in Disruptive Technologically Times Conference during the Thessaloniki International Fair on 12 September 2018.  The conference was organised by the American-Hellenic Chamber of Commerce and was marked by great success.